A Sandvine Technology Showcase Contents Executive Summary... 1 Introduction... 2 Identification, Evaluation, and Enforcement. 2 The Policy Engine... 2 SandScript Freeform Policy Language... 2 Freeform Policy Expression... 3 Identification: Available Conditions... 3 Evaluation: Linking Conditions to Actions... 4 Rigid-form Policy Expression... 4 Freeform Policy Expression... 5 Enforcement: Taking Action... 6 Universal Access... 7 Unified Policy Control: Cross-Plane Synergy.. 8 Distributed Policy Decision Points... 10 Usability Working with SandScript... 10 Extensibility... 12 Regulatory Peace-of-Mind... 13 Scalability Infinite Rule Capacity... 13 Example Use Cases... 14 Conclusion... 17 Related Resources... 17 Invitation to Provide Feedback... 17 Executive Summary The Sandvine Policy Engine is the world s most versatile and powerful network policy control platform, and is the foundation of all Sandvine solutions. Our unique Policy Engine can be thought of as a black box into which information about measured conditions and provisioned subscriber entitlements flow, and out of which charging updates, management actions, and business intelligence emerge. The Policy Engine is driven by a highly-configurable freeform policy language called SandScript. Much more than a simple rules system, SandScript supports the unrestricted ability to define and associate an infinite set of fully-interactive, logic-based policy statements, any of which can affect a particular entity, such as a subscriber, in the desired context. Thanks to this versatility and power, the Policy Engine provides a single platform on which to introduce unified, standardscompliant network policy control into any fixed, mobile, or converged access network, whether the network is physical or virtual. This abstraction also makes the Sandvine Policy Engine a single mechanism by which communications service providers can express any past, present, or future network policy control use case. This paper explores the various capabilities of the Sandvine Policy Engine, and serves as a central launching point for understanding a wide variety of unique policy control features.
Introduction For today s communications service provider (CSP), protecting subscriber QoE, efficiently managing network resources and enabling new services is about creating intelligent policies. A Network Policy Control solution s baseline approach to policy expression and execution determines the limits of a network s ability to support next-generation use cases and adapt to future change. Identification, Evaluation, and Enforcement Network policy control, and the related (but slightly narrower) concept of policy management, is fundamentally about achieving business objectives by specifying how the network itself behaves in response to an infinitely diverse stream of events across the data, control, and B/OSS planes. A network policy is the technological implementation of a CSP s desired business objectives for their network. There are three distinct functions in any network management policy 1 : 1. Identify convergent conditions in the network 2. Evaluate business logic to determine the appropriate response 3. Enforce policy actions to achieve the desired result The Policy Engine The Policy Engine provides a single platform on which to introduce unified, standards-compliant network policy control into any fixed, mobile, or converged access network, whether the network is physical or virtual. This abstraction also makes the Sandvine Policy Engine a single mechanism by which communications service providers can express any past, present, or future network policy control use case. SandScript Freeform Policy Language A key differentiator of Sandvine technology is the way in which it handles policy management and expression. The Sandvine Policy Engine is driven by a flexible and highly-configurable event-based policy language called SandScript. SandScript is the freeform programming language that defines the rules, calculations, expressions, policy decisions, and enforcement actions that executed by the Sandvine Policy Engine. Much more than a simple and rigid rules system, SandScript supports the unrestricted ability to define and associate an infinite set of fully-interactive, logic-based policy statements, any of which can affect a particular entity, such as a subscriber, in the desired context. This method of policy expression provides Sandvine s customers with a significant advantage over competitors because they are able to precisely achieve desired business goals through network policy control. 1 For a complete overview of Network Policy Control methods and theory, see the Sandvine whitepaper Network Policy Control Methods and Considerations. Page 2
Freeform Policy Expression The Sandvine Policy Engine provides the network with the decision-making intelligence and enforcement capabilities required to truly bring business objectives to life. Our Policy Engine can be thought of as a black box into which information about measured conditions and provisioned subscriber entitlements flow, and out of which charging updates, management actions, and business intelligence emerge. The SandScript freeform policy language is the real-time thinking component of Sandvine s Policy Engine, where human ideas about what to do in a particular situation are expressed in technical terms to achieve a desired outcome. Identification: Available Conditions The Policy Engine is designed to accurately identify the many possible conditions occurring within the network (and its supporting systems) that CSPs can incorporate into their overall policy management design in support of a particular business objective. This is more than just simple traffic identification through deep packet inspection (DPI), and includes the ability to accurately identify a wide variety of conditions beyond the protocol in support of many powerful use cases. 2 The Policy Engine has the ability to evaluate many different data plane and control plane conditions in support of many possible actions to maximize a CSP s ability to deploy rich use cases that achieve specific business goals. Conditions on the Data Plane The Policy Engine identifies data plane conditions that deal mainly with understanding the nature of subscriber traffic 3 : What type of traffic is it (application protocol)? What is it doing (streaming a video, delivering web content, conducting a DDoS attack, etc.)? What are its characteristics (e.g., volume, number of events, duration, quality of experience, bitrate, codec, round-trip time latency, etc.)? Is this network resource congested right now? What is the total amount of video traffic being carried by the network right now? Conditions on the Control Plane The Policy Engine identifies control plane conditions that revolve around meta-information related to how the network functions: A subscriber logs on to the network: who is it? To what mobile tower did the subscriber connect? What is the quality of service requirement (QoS Class Identifier) for the application in use? What are the subscriber s entitlements (e.g., OCS updating a PCRF on available data quota, what service plan does the subscriber have, etc.)? A Diameter Gx policy enforcement instruction is received 2 For a complete overview of Sandvine traffic classification, see the whitepaper Identifying and Measuring Internet Traffic: Techniques and Considerations and the technology showcases Traffic Classification: Identifying and Measuring Internet Traffic and Policy Control for Connected and Tethered Devices 3 For a complete overview of the issues surrounding Internet traffic classification, see Identifying and Measuring Internet Traffic: Techniques and Considerations. Page 3
Evaluation: Linking Conditions to Actions 4 The evaluation function examines one or more conditions and outputs one or more actions, to achieve some goal. This simple characterization betrays immense complexity behind the scenes, and variation between solution capabilities. For any Network Policy Control solution, the method of policy expression largely determines how capable a solution is at evaluating sets of conditions and what actions it can do in response. A Sandvine policy is a set of orthogonal, non-rigid rules (e.g., number of bytes allowed, number of connections allowed, applications allowed, time of day, etc.). SandScript supports the boolean expression of individual conditions that link to actions when the conditions evaluate true. This policy expression matrix allows Sandvine to combine any combination of conditions to trigger any combination of actions, and accommodate the concept of entities having things (e.g., specific characteristics based on thresholds, if/and/or statements parsed in real time, etc.) as opposed to merely being things (e.g., gold subscriber, silver subscriber, etc). Figure 1: Sandvine Policy Evaluation Rigid-form Policy Expression With the rigid-form approach, the DPI box arrives with a preset number of policy channels programmed into firmware. These are essentially containers or pipes, which we can think of as tubes, into which hard-coded conditions and actions can be placed to create rules. As shown by Figure 2, rigid-form systems work by dividing traffic between virtual tubes, each of which gets some amount of reserved bandwidth. Each data packet is examined to determine to which virtual policy tube it belongs, and each packet can only be assigned to a single virtual tube. Each virtual tube has a corresponding rule in a linear hierarchy, and the rules consider many conditions to provide the CSP with very granular control. Users can only choose from the pick-list of preset, hard-coded conditions and are forced to arrange them into the preset, limited number of tubes. Each policy tube is a selfcontained entity, and is unable to interact directly with any of the other policy tubes to support use cases that would benefit from the ability to do so. 4 For a deeper conceptual analysis of the concepts underlying policy evaluation, including the ability to examine conditions, the importance of the rules architecture, and the triggering of actions, see the whitepaper Network Policy Control: Methods and Considerations. Page 4
Figure 2: Conceptual representation of rigid-form policy creation This model is simple and straightforward, but suffers from a few significant limitations: first, there is often a hard limit on the number of rules; second, the operator must carefully construct a linear hierarchy to represent what is probably a much more complicated and nuanced set of business objectives; third, if business priorities or objectives change, or new use cases are sought, then that strict prioritized list of rules might need to be completely rebuilt; fourth, to maximize performance the most frequently-triggered rules should be placed high up in the list. In short, the real world typically isn t linearly prioritized. This type of system, while easy to get up and running, quickly forces the operator to make mental contortions to fit a strict architecture. Whatever their original intensions, CSPs must redesign their objectives to fit the limitations of the rigid rule-set enforced by this approach. Freeform Policy Expression Sandvine uses a unique freeform system for policy expression that can identify an entire set of applicable rules (i.e., as opposed to finding a first match and then exiting the search), each of which triggers separate actions. By its very nature, SandScript s ability to express policy freely offers enormous benefits for network operators for policy evaluation: It allows much greater flexibility in expression of business objectives, because conditions need not be artificially linked together; instead, different policies (each consisting of a collection of rules) can be expressed independently but are still guaranteed to be evaluated. This characteristic has important benefits for ongoing maintenance and extension: new policies can be added, independently, at any time, without having to re-examine the existing collection of policies. Because they are not consuming from a finite pool of deterministic outcomes, there is no concept of a finite rules limit Page 5
Figure 3: Flexible SandScript policy definition Using the SandScript policy language, which does not conceptualize the Internet as a series of rigid rule statements, users can build policies from a vast library of possible conditions and actions. Identifying conditions that will be part of the policy is only part of the process Sandvine s freeform policy expression provides the ability to include complex operations in the examination of conditions: True/false assessment Measurements and mathematical operations Numerical values and comparators (e.g., greater than, less than, equal to) Percentage values and comparators (e.g., is X greater than 50% of Y?) Set membership String functions Because the rules of Sandvine policy are not static, isolated, binary statements evaluated in a linear fashion there is no limit to the number of dimensions that can be included in an overall policy nor to the number of policies that can be created. Enforcement: Taking Action The Policy Engine supports various types of enforcement actions. Example Sandvine policy actions Enforcement QoS Mark Record/Report/Log Signal Shape/Throttle Block Description Use DSCP to mark packet for downstream/upstream prioritization Record conditions, measurements, and actions for reporting and auditing purposes Send standards-compliant signal to another element with instructions Directly shape data plane throughput Block traffic (for instance, if the packets are part of an attack) Page 6
Redirect Meter Intercede to direct subscriber traffic to a service function chain, or a walled garden/captive portal Record data usage for charging purposes, or in support of fair use policies The Policy Engine also provides flexible options for how and where actions take place in the network: Enforce policies locally, for instance as traffic passes through the system; or Trigger remote enforcement (e.g., initiating a Diameter Gx or Rx message that is acted upon by another system); or A hybrid approach: the Policy Engine directly changes a DSCP mark on a packet, and that mark is subsequently acted upon by another system Universal Access Figure 1 Enforcement options and methods Network policies are realized by communications and signaling that occur on the data and control plane using a wide variety of methods (e.g., data plane flow and subscriber characteristics, Diameter signaling, PCMM signaling, Radius, LDAP, DHCP, REST/SOAP, IPDR, etc.). The heterogeneity of the policy management spectrum is a challenge CSPs must constantly overcome in the pursuit of uniform/consistent implementation of business objectives. Page 7
Figure 4: Universal Access To maintain the universal applicability of the core policy expressed using SandScript, Sandvine uses Policy Drivers to interpret events communicated through various standards-based interfaces and passes them to the policy engine in the form of policy events (or conditions). The Policy Engine evaluates these events and passes back an action which is then translated back into the appropriate standardsbased interface. Figure 5 illustrates this concept for a few common, standards-based interfaces: Figure 5: Policy Drivers Policy drivers allow quick adaptation to evolving standards without requiring a major architectural change of the entire platform. Unified Policy Control: Cross-Plane Synergy The Policy Engine spans both the data plane and control plane, embedded within Sandvine s PCEF/TDF and PCRF elements, and interacts with the B/OSS plane and remote enforcement points using standards-compliant interfaces. This unification across the control and data planes and the distributed intelligence that it brings delivers many benefits: Operators define a policy once, and it is seamlessly and consistently applied across control and data planes Page 8
Use cases are not limited by the difference between a control plane policy platform and a data plane policy platform synergy maximizes solution utility Control signaling and the load on PCRF elements are significantly reduced, since decisions are made locally Policy decisions are made faster, without needing to wait for a query and response The control and data planes have a common model of network policy control, so they have an equivalent understanding of what the business policy means and how it is implemented Network policy control is completely agnostic of access technologies and vendors within the network To demonstrate how freeform policies in both the control and data plane can work together to enable innovative service offerings, Figure 6 shows an example of Sandvine enabling online charging with family plan processing: Figure 6: Specific Family Plan quota management and billing example The PTS counts usage and associates it accurately with the correct subscriber, while the SDE manages a device-specific quota plan for each family member, using the same Policy Engine platform. The following is a SandScript snippet that outlines the functionality that would be implemented by the unified control and data plane policies shown by Figure 6: (ON SUBSCRIBER IP MAPPING) If RADIUS-MESSAGE CONTAINS MSISDN MAP IP ADDRESS TO SUBSCRIBER WITH MOBILE FEATURES LOOKUP FOR FAMILY-PLAN-INDICATOR ON DATABASE ELSE /* will map DHCP and RADIUS */ MAP IP ADDRESS TO SUBSCRIBER WITH FIXED FEATURES LOOKUP FOR FAMILY-PLAN-INDICATOR ON DATABASE If FAMILY-PLAN-INDICATOR FOUND (e.g. 123) THEN MAP USER TO FAMILY PLAN ID (e.g. 123) (ON QUOTA USAGE EVENT) IF SUBSCRIBER PART OF FAMILY PLAN IF SUBSCRIBER IS MOBILE DEPLETE SUBSCRIBER-SPECIFIC-QUOTA DEPLETE FAMILY-LEVEL-QUOTA ELSE DEPLETE SUBSCRIBER-SPECIFIC-QUOTA Page 9
Distributed Policy Decision Points When the result of a decision is an action that affects network traffic, latency is an important factor to consider. There is a latency cost each time a policy management implementation signals the control plane, such as the PCEF asking the PCRF what to do about each flow and packet. The Policy Engine has the ability to evaluate network events (make decisions) using policy on the data and control planes, making it much more than the relatively dumb devices depicted in most reference architectures. By making decisions in the data plane element wherever possible, Sandvine allows CSPs to reduce the amount of control signaling by several orders of magnitude. Consequently, the control plane can be scaled down and the network becomes easier to operate. 5 This reduces latency by keeping relevant policy evaluation close the enforcement point so that it does not breach the control plane barrier. Figure 7: Distributed Policy Decision Points in 3GPP Networks Usability Working with SandScript SandScript defines the rules, calculations, expressions, measurements, policy decisions, and enforcement actions that are executed and implemented by the Sandvine Policy Engine. Control Center is Sandvine s graphical user interface for unified policy and operations management. Complex policies can be expressed through variable settings (speed, time of day, action choice) that are exposed through a standard EMS (Element Management System) and are easy to manipulate by a typical network operator. When a CSP wants to create or manage more complex aspects of freeform policy (cascading expressions, special functions, complex expressions, ad-hoc use case creation, looping measurements, 5 For a complete overview of the advantage of distributed policy decisions, see the whitepaper Distributed Decisions in Policy Control. Page 10
etc.) without outside assistance, it requires some investment in training employees to use Control Center to modify the language independently and efficiently (see PowerEdit below). Usability is a complex issue because it is impacted by user type and solution adaptability factors that are difficult to quantify. Control Center has been specifically designed with functionality and views tailored to the capabilities of specific user types based on their scope of knowledge and assigned tasks. Policy Wizards Control Center includes a Policy Wizard that helps create SandScript policies for common use cases, and helps with configuring policy packages. QuickEdit Control Center offers a tool for novice users called QuickEdit that manages limited variables within policy. This feature provides a simple interface that lets even novice users make changes to existing measurement and management policies without needing to dive into the full policy files. Figure 8: QuickEdit PowerEdit A tool called PowerEdit enables direct authoring and revision of the policy script itself. When you use PowerEdit, you re working with the same interface as our team. PowerEdit gives you complete access to all of the Policy Engine s features and capabilities, letting you link any condition to any action, without holding anything back. Policy Libraries Control Center comes with a library of prewritten and pretested SandScript snippets to get you up and running. Simply drag-and-drop the desired library into PowerEdit, and the SandScript appears, ready for editing and tweaking to suit your specific use cases and business objectives. Sandvine offers both Page 11
training and professional services for SandScript policy creation. Figure 9 shows a policy snippet that performs the following functions: 1. Implements a function to redirect RTSP requests using a 302 Moved Temporarily response (with a Cseq header) and to close the connection 2. Defines a map of the URIs that will be redirected, and the location to which they will redirect 3. Redirects RTSP requests that match the list Extensibility Figure 9: PowerEdit policy snippet The Policy Engine is designed to adapt as Internet applications, subscriber behaviors, standards and regulations change. Largely enabled by SandScript s freeform policy expression, Sandvine policies are easy to update in the field, are configured the same way regardless of hardware type, and can readily adapt to changing standards. With SandScript, an infinite number of conditions and actions can be conceptualized and perpetually expanded upon, allowing CSPs to easily keep pace with required adjustments and capitalize on new opportunities. Using a GUI that includes automatic error-checking, CSP operators and Sandvine professionals create and update policies in the field by arranging the assembly blocks of SandScript s freeform syntax as described above in the usability section. Page 12
Freeform policy is by nature more flexible and primed for quick adjustments, since the SandScript policy definitions can be quickly edited from one location and immediately deployed across the network. Sandvine element policy language updates, and updates to the supporting operating system, require no firmware or hardware replacements. As the Internet continues to evolve, new and updated policies are quickly distributed in a uniform manner to the SDE and PTS elements hosting the Policy Engine. Regulatory Peace-of-Mind As CSPs, subscribers and government entities continue to discuss, define and refine Internet Network Policy Control regulations, Network Policy Control solutions should be ever-poised to anticipate the changing regulatory landscape. A rigid-form approach, with a rigid policy expression matrix programmed in a factory, cannot adapt quickly to changes in regulations and Internet trends that present new opportunities to save costs or generate revenue. Scalability Infinite Rule Capacity CSPs must ensure that their chosen approach to policy management can scale with the network and future policy plans. Sandvine s freeform approach to policy expression offers an unlimited number of rules expressed in an efficient manner that maximizes performance by reducing the impact on CPU usage. The best analogy to use when thinking about the scaling implications of rigid-form policy is to think of a large novel where each sentence is written on a separate page. Imagine the length of that book and the effort it would take to read it or edit it, let alone store it somewhere. This is how the CPU in a hardware appliance designed to process policy in real-time experiences rigid-form as compared to freeform. Freeform policy behaves much more like a standard novel in how it interacts with the processing capabilities of an appliance. The CPU is given fully defined logical expressions from a policy language that fully expresses the interdependent conditions and actions that define what to do in a given circumstance without limitation. Page 13
Example Use Cases In addition to the family plan quota management example provided earlier, the following are examples of use cases that achieve their full potential because they are expressed using the Sandvine Policy Engine and SandScript policy language. Understanding End User Quality of Experience The Policy Engine, and specifically the freeform policy expression provided by SandScript, is uniquely suited to use cases that require the measurement of one of more things. For example, for each application type (e.g., video, web browsing, voice-over-ip, gaming, etc.) and overall (i.e., for all traffic), quantitatively measure and clearly present quality of experience scores. This requires a solution to measure network latency, video buffering, video bailouts and CDN performance, and publish those measurements to database. To maximize utility the policy must also correlate these measurements with relevant conditions such as time of day, subscriber location and content provider to reveal true insight. For example, shows the significant difference in page load time between the three most frequently loaded web pages on a Canadian fixed access network. The most popular site (the yellowish line) averages about 4 seconds to load, while the other two load much more quickly. Additionally, the most popular site experienced performance degradation at 9pm precisely when the network is approaching peak utilization. The second most popular site (the charcoal line) exhibits variation in average load time during the evening, ranging from one second to as much as 5.5 seconds. Figure 10: Page Load Time by Provider Bill Shock & Roaming Notification Mobile networks use GTP tunneling in which the outer IP identifies the serving network, and the inner IP identifies the user. The Policy Engine and freeform policy expression through SandScript allows CSPs Page 14
to accurately identify conditions in both the inner-tunnel and outer-tunnel. A rigid-form policy creation and execution model cannot achieve this use case even if a box is deployed on these interfaces, the inability to inspect both inside and outside of the tunnel due to the lack of cascading policy (supported through freeform) means the traffic will be double-counted, if counted at all. If the solution relies on AAA for the visiting network subscriber awareness, the time-lag will result in misapplied policy, counting errors, billing errors, and the visiting SGSN may not even have a 3GPP AAA extension enabled. In this particular example, the Policy Engine intersects traffic either going out to the GGSN being accessed by the subscriber or coming in from the GGSN bound for the subscriber, and measured the data usage. Although this particular deployment was for a 3GPP HSPA network, the Sandvine implementation is both standards-compliant and access-technology-agnostic, and a similar solution is supported with other access technologies, including 3GPP2 and LTE. For example, in LTE networks Sandvine can intersect the S5/S8 interface to apply policy simultaneously for the serving network and subscriber. In HSPA networks, there is enormous benefit to having the PTS deployed on the Gn interface, as shown by Figure 11. From there it can also tap the Gp interface. Figure 11: Sandvine European Union data roaming regulatory compliance implementation topology Application-based, Multi-Layered Service Plan Offerings The freeform policy environment provided by the Policy Engine and SandScript allows Sandvine s customers, such as the Latin American carrier used in the example below, to field a rich set of revenue-generating services plans that can be monitored with Network Analytics and quickly adapted across the end-to-end solution. Page 15
Figure 12: SandScript-enabled multi-layered service offerings Mitigate DDoS Attacks Inbound denial-of-service attacks are attempts to make a network resource unavailable; even if they aren t completely successful, they can still have a major negative impact on customer experience. Outbound attacks leverage network resources to attack something outside the network these come from infected subscribers on the network who are part of a coordinated botnet and they can damage the reputation of the source CSPs, potentially leading to blacklisting by the online community. For over a decade, Sandvine s Network Security has been protecting network services and CSP reputations with real-time, behavior-based DDoS detection and mitigation policies. Using multiple conditions, measurements, and cascading levels of policy evaluation, the solution delivers precise, zero-day protection against three categories of DDos attack: SYN Floods: overwhelm the target s ability to process SYN packets Flow Floods: overwhelm the target s flow state memory Bandwidth Floods: overwhelm the target with traffic Figure 13: Network Security in Monitoring-only mode shows SYN Flood attack traffic Page 16
Conclusion The versatile and powerful Policy Engine provides a single platform on which to introduce unified, standards-compliant network policy control into any fixed, mobile, or converged access network, whether the network is physical or virtual. The Sandvine Policy Engine a single mechanism by which communications service providers can express any past, present, or future network policy control use case. SandScript is an event-driven policy definition language that empowers CSPs to fully utilize the Sandvine Policy Engine with programmatic flexibility, and without restriction. Much more than the typical rules-based systems that severely restrict the user and cannot execute orthogonal policy conditions, SandScript allows freeform policy expression to link any condition to any action. This method of policy expression provides Sandvine s customers with a significant advantage over competitors because they are able to precisely achieve their desired business goals through network policy control. Related Resources The following have been referenced in footnotes and are particularly relevant for a deeper understanding of Sandvine policy control: Network Policy Control Methods and Considerations Identifying and Measuring Internet Traffic: Techniques and Considerations Distributed Decisions in Network Policy Control Invitation to Provide Feedback Thank you for taking the time to read this technology showcase. We hope that you found it useful, and that it helped you understand our web browsing quality of experience solution. If you have any feedback or have questions that have gone unanswered, then please send a note to whitepapers@sandvine.com Page 17
Headquarters Sandvine Incorporated ULC Waterloo, Ontario Canada Phone: +1 519 880 2600 Email: sales@sandvine.com European Offices Sandvine Limited Basingstoke, UK Phone: +44 0 1256 698021 Email: sales@sandvine.co.uk Copyright 2015 Sandvine Incorporated ULC. Sandvine and the Sandvine logo are registered trademarks of Sandvine Incorporated ULC. All rights reserved.